The latest bug "facilitates full Java sandbox bypass on latest Java 7 Update 7," Adam Gowdiak, the CEO of Poland-based Security Explorations, wrote in an e-mail to Ars. His team developed proof-of-concept code and delivered it on Friday to Oracle engineers. The discovery of the new critical bug was reported earlier by IDG News. There are no reports that it is being exploited online.

"The total hunt took about 2-3 hours," Gowdiak wrote. "It was done yesterday in the evening. The discovery was made [as] a result of a manual analysis of Java code (its implementation)."

Gowdiak declined to discuss technical details out of concern that they may make it easier for criminals to exploit the flaw in e-mail- or Web-based attacks. He said the discovery came "while trying to fix the proof-of-concept codes that stopped working after applying the recent Java patch."

An Oracle spokeswoman responding to a request for comment referred Ars to this advisory, which was published with Thursday's update. She and other representatives didn't respond to a follow-up e-mail informing her that the advisory was published before the most recent vulnerability was discovered.

This week's attack, and Oracle's lack of public response to them, has renewed calls by many—this reporter included—to remove Java from computers that don't use the cross-platform framework. Many programs that claim Java is required work fine, or almost as well, without the Oracle software, as confirmed by at leasttwo Ars readers on Thursday. Even when it's mandatory for programs such as Adobe Photoshop, as one Mac-using Ars reader reported, users may want to remove Java plugins from their browsers if the websites they regularly visit don't require it. The removal advice has proved controversial to some, so Ars readers are encouraged to decide for themselves. (Oracle's official Twitter account for Java has also disagreed with the advice.)

Two of some 19 bugs that Gowdiak's firm reported in April were among those combined in the latest proof-of-concept attack to completely bypass the security sandbox Java relies on to ensure untrusted code can't access sensitive operating-system functions. Some of the remaining holes still haven't been plugged, and when linked to the latest discovered flaw, attackers could once again have the ability to escape the safety perimeter.

Said Gowdiak: "When combined with some of the April 2012 issues, the new issue allows [one] to achieve a complete [Java virtual machine] sandbox bypass in the environment of latest Java SE 7 Update 7 (version that was released on August 30, 2012)."

Promoted Comments

From the article: "Even when it's mandatory for programs such as Adobe Photoshop, as one Mac-using Ars reader reported..."

Except this Mac user has no problems using Adobe Photoshop and Dreamweaver (CS6) on a Mac (10.6.8) with Java disabled via the Java Preferences.app.

Now, it may be that the installer won't install without Java being at least physically present, and it may be that certain collaborative features don't function as intended without Java enabled, but the Adobe applications I use on a regular basis don't seem to be complaining!

Certain chemistry-related web tools will require me to turn Java back on periodically, but I really don't use them often enough to worry about it; much easier to leave it off until needed.

I lost a lot of respect for many Ars readers (and Ars as a whole) here today.

I thought we were supposed to be a technical audience? If so, why is it that so many people posting in here seem to think that because at least one serious exploit exists in the Java framework that the reasonable course of action is to either uninstall it completely from all of their machines, or to disable it and cripple it so as to render it completely unusable until you need it? This is what I would expect a sales associate at Best Buy to recommend to someone because they don't have a great understanding about what Java actually is.

Those of us who know and understand a lot more than that and have some experience under our belts know that this is a commonplace problem for many other software frameworks as well, it's nothing new. Some people are treating it like it's the freaking apocalypse!

Sure, Oracle has gone full retard with this whole situation, and may arguably have even ruined how stable Java used to be, but this is FAR, FAR, FAR, FAR, FAAAAAAAR from a reasonable reason to declare a war on Java by removing it from everything you can.

This is going to blow over. It always does. Welcome to the industry.

I'm not doing anything to my Java installation (I use the SDK frequently, but that's besides the point). Nothing's going to happen, seriously. Only if you go to some shady website, and I thought most of us here were smarter than that.

So are you saying the only people who get exposed to drive-by exploits are those who visit porn or warez sites? If so, that's a breathtaking statement that was proven false years ago. Witness:

Think about your PC for a moment. Strike that, think about a generalized computer. There are only two ways in which a remote site can interact with that computer:

A) If the computer has a service listening on a port (i.e. it's acting as a server);

B) If the computer initiates contact with another computer (i.e. you're browsing the web or checking email).

Now, A pretty much goes away if you're running a firewall, doubly so if you're also running a NAT firewall/router on your home network. If you don't have any services listening on any ports, OR you've got them all firewalled off, it is simply not possible for another computer to initiate any sort of communications with your PC. That leaves B.

With respect to B, you're using your web browser, email software, or usenet client (heh heh -- right?). If you don't have a Java plugin running in your browser, email software, or usenet client, there isn't any Java in your "attack surface". Zip, nada, zilch. Without that plugin, there is absolutely no way on Earth any other computer can do anything to your PC that you could blame Java for.

Simply having Java does NOT mean it's a part of your "attack surface". You have to look at the boundaries, the ways in which your PC initiates communications with the outside world. What comes in, what goes out, and how it's processed.

If your Java isn't doing anything with the network, it's not part of your "attack surface".

NOTE: Someone said yesterday that if they could get access to your PC, they could run some kind of poison Jar file on it and that means Java's still a problem. I replied that if they're already running stuff on your PC, you're already pwned, so why bother messing with Java? They already have you at that point. They could even install Java if they wanted. As I told him, Java on the desktop doesn't have a sandbox anyway -- it runs with your user privileges like any other program. This is all about the browser, and nothing but the browser.

I'm unsure at this point, if you are just on a personal crusade to drag Java as a language through the mud, or if it's just more knee jerk reaction from someone who isn't doing anything but reporting things that have been discovered by others, and throwing a bit of sensationalism to keep Conde Nast happy.

At either rate, you aren't defining the attack vector, and you aren't making a clear definition of how modular Java is and instead are giving the kind of advice that I'd expect from an employee at Best Buy.

I completely agree that if a user isn't using an application, and if the application has become a significant risk to security, then the application should be removed.

The problem here, and why I think some of us are getting hot-under-the-collar, is that the article doesn't make clear what the exact attack-vector is, so the only thing we really know is that the attack-surface is the JVM. But the JVM is *not* an application! It is a platform that can take on a multitude of different forms (server-side, client-side, android, browser-plugin, etc). There are also two supported versions by Oracle, JVM 6 and JVM 7. This situation is similar to Microsoft Windows XP vs Vista. In fact it's worse, since the JVM really tries to act like a cameleon (unsuccessfully)...ideally you shouldn't even know if you're using it or not.

So from a developer's POV, your advice in the article is tantamount to advising users to abandon a platform because there were bugs found in it. And you're getting the same vitriol as if you were to advise people to uninstall Windows because Vista was buggy, or to switch to iOS because a particular version of Android is buggy. Some people shout hallelujah while others gnash their teeth.

Now no one can disagree with you that uninstalling the JVM completely would fix the issue, but it is the most extreme approach. I think equally valid advice would be to treat the JVM like any other platform: stay on the current version until the next one gets figured out. Or if that doesn't happen, find a better platform. Surely you've done this with OS X, Fedora, Debian, Windows, Ubuntu, KDE4, whatever...

I'd love a better/more-open VM, but right now the JVM is really the gold-standard (CLR is a non-starter for me). Folks are using it for high-performance computing (Hadoop, Lucene, etc.) and they're using a form of it on their devices (Dalvik, Android). It would just be a terrible thing to have it fail so completely on the desktop. This isn't like flash, people. Ah, c'est la vie.

By the way, would it be too much to ask to get some Editor's Picks for the pro-JVM side? Surely they weren't all bad?

155 Reader Comments

There is a bug in Java that allows some hacker idiots somewhere to take full control of a computer by silently installing a virus or trojan of some other thing dreamed up in some demented mind somewhere. Oracle released a fixed update yesterday (which I installed), but now there is still a bug in the fixed update released yesterday that still allows the same thing to happen that the update was supposed to fix.

That about right?

Does anyone actually do any work at Oracle?

Close enough. The vulnerability doesn't allow "full control" of the computer in the sense that only user privileges are obtained. Which, of course, is pretty ridiculously bad.

As for your last question... hey... it's the Friday before a three-day holiday weekend. Everyone left the office at noon.

The editors and commenters of this site seem to equate Java with the web plugin which has really been dead for years. I agree that plugin needs to be retired.

To me, Java is an amazing open source software platform for various types of server computing, data and numeric processing.

MarkIt wrote:

jarvis wrote:

I still don't understand why people want to use Java. I've always found it to be a resource hog will poor performance. Can we just get rid of it already?

As a Java programmer who had used many other languages, I can only say that Java is the most programmer friendly of them all.

As an architect of several Java-based high traffic web sites, I can only say that poor performance is a myth, you can achieve some serious performance figures with Java.

As a Java fan, I can only say that it had a good run. Or not really in browsers... ever... but otherwise... Then Oracle came, destroyed its reputation, and you know how hard that sort of problem is to fix. I, like many others, had a bad feeling when that Sun acquisition was announced. Now I feel even worse.

Most "Java" fans seem to prefer either Scala or Clojure as a language over Java, but Java is still the platform.

If your software is so shit it gets broken by Java point releases then it needs re-writing...

EDIT: Even if you are unlucky enough to run into a regression if it is critical and it isn't caught by your automated tests and/or QA within a reasonable timeframe (i.e. a few days) then you are doing it wrong.

Viewer wrote:

Most "Java" fans seem to prefer either Scala

Apart from the fact that Scala is mental and keeps introducing breaking changes.

@Nomi1985: I'm not exactly waxing philosophical; I've been programming Java for nearly a decade, mostly in small to mid-size projects (about 56,000 lines of code for my favorite one). I've done C# and VB.Net, also (another 50KLOC project there), before I switched to Java full time around eight years ago.

In my professional opinion, anyone who sets up their software so it looks for a specific JRE version (or who uses a deprecated API knowing it's going to "go away") should be taken off programming duty and put somewhere where he can't do any harm, like reading level 1 tech support scripts to furious, angry users. After a year of "Have you tried turning if off and on again?" maybe they'll behave themselves. The programmers, not the users.

In your case, since it sounds like you're stuck with their boneriffic work, here's a modest suggestion:

Take a test box you don't care about, and install each old version of Java you need on it. Then, create a zip file from each Java installation directory. On your user PCs, always install the latest/greatest as the main Java install, but whenever a specific JRE is needed, unzip it to the needy application's main directory under "OldJava" (or whatever). Write yourself a batch file or shell script (depending on Windows or Unix) that starts the application with the app-specific JRE using a relative path.

Presto! You've bundled an old JRE with your app, and it's the only thing using it on that box (no registry issues, no competition with other JREs). Everything else gets the fancy, new, secure JRE you installed normally. You can update the old JRE (if updates exist) on your test box, zip it up, then roll out the changes using your normal provisioning software. As long as people use your startup script to start the app (and why wouldn't they?) they'll always be using the correct JRE.

Again, I think it's pretty DUMB to code for a specific JRE, and saying "Sun took something away" is no excuse. You have literally YEARS of warning when they're going to deprecate something. There are some function calls in Java 6 used for setting the next component in a tab order which still work, but are deprecated. I think they were deprecated back in Java 2, but they're STILL THERE. It's that "backwards compatability" you're saying Java doesn't have. I suppose they might be gone in Java 7, so I stopped using them.

If you write plain jane Java code, you stick to the stuff in the standard library, and you avoid buying UI objects from random weirdos you found on the net (people really do this, why I have no idea), you probably have nothing to worry about when upgrades arrive. It's the developer who tries to show off and use some weird obscure package who gets stung. Remember, Sun won't deprecate something everyone's using. They deprecate things most people aren't using, which don't seem to be popular or optimal. So don't get weird with your code and you're OK.

Your problem is not Java. It's how your company approaches development.

By the way, if you want to make your programmer's heads asplode, ask them whether they've made their UIs "Accessible" yet. Make sure to sound really innocent when you ask.

Only yesterday I installed this silly update. If not for Air Video Server, I would get rid of Java runtime entirely.

And what is the problem, exactly? Air Video Server, being an ios-centric solution, does not seem to use anything that invokes Java from a browser, which means this is a non-issue for you.

As the article author alluded, everything is an attack vector, even your precious Air Video Server. In Method chose to use Java as their platform. They obviously saw some benefit in doing so. Now you benefit from the fruits of their labor. Win-win!

I do believe there was a full write-up of the complete process of doing so in IE on a subreddit somewhere, which involved registry key edits, ticking checkboxes in the java control panel.

I just had a JInitiator flashback. Curses! My eyes!

LoneWolf1510 wrote:

That being said, Java's performance is absolute ass, especially when considering graphics rendering. Their opengl implementation versus a compiled version, the compiled typically wins hands down, even with more work to do in the end.

WHAT??? That is SO unfair. Java is generally not the go-to platform for game development. Most graphics intensive games are written in C or C++, are they not? It's as if you were criticising a Jeep because it's not as fast as a Porsche on the highway... Yeah, SURE, but let's see how your Porsche does on my logging road!

Simply having Java does NOT mean it's a part of your "attack surface". You have to look at the boundaries, the ways in which your PC initiates communications with the outside world. What comes in, what goes out, and how it's processed.

If your Java isn't doing anything with the network, it's not part of your "attack surface".

Your argument has a lot of appeal. I think it's especially appealing for people who truly depend on Java for apps they want or need to run. But I'm going to defer to the security experts who say that the JVM *is* attack surface that should be eliminated if it's not needed.

Dan, anyone can SAY they're a "security expert" and even if they ARE a security expert, they might still be incorrect or exaggerating out of a personal bias. People can often be very opinionated, and act as though something is an absolute moral truth when in fact it's just their opinion.

I've been a Java programmer/analyst for eight years full time, and for another year back in 1999. I suggest that I know far more about Java than ANY "security expert" who says it should be removed. Of course, I defer to the people at Red Hat who work on the actual Java code, but THEY say this vulnerability only affects the browser plugin. A point for me...

As far as "Attack Surface" goes, how about some information from CERT, the Computer Emergency Reponse Team at Carnegie Mellon?

First, a page at CERT that talks about Vulnerabilities and Attack Surface:

In other words, my point about the browser plugin being the part of Java that affects the attack surface was sound. Other parts of the JRE do NOT provide an attack surface unless some Java program running on the machine opens up a port or initiates communications. The attack surface is, specifically, the collection of resources which an outside attacker can use to gain access to the system.

Now, the JRE (without the browser plugin, and assuming the user isn't running a Java program that initiates communication, like a web browser written in Java) does NOT afford anyone any ability to access the system. Once an attacker is already on the system and able to access the JRE, he's ALREADY ON THE SYSTEM. Anyway, he can only run the JRE using whatever user rights he's already managed to grab for himself. So the JRE is NO DIFFERENT from any other software environment available on a system. Saying it's more dangerous than, say, a normal executable or a scripting language is absurd.

Before anyone says "what if I mail you a bad Jar file?" I say "pish tosh". Mostly because I like saying pish tosh, but that's another issue. What if you mail me a bad .exe file? What if you mail me a bad shell script? What if you mail me a virus in a gif? What if you mail me a link to a web page that plays a dirty movie? You're talking about using EMAIL as a vector, not the JRE. And if you use email as a vector, anything goes. If a user is foolish enough to run whatever you send him, uninstalling Java isn't going to save the guy. You know this is true...

There is a bug in Java that allows some hacker idiots somewhere to take full control of a computer by silently installing a virus or trojan of some other thing dreamed up in some demented mind somewhere. Oracle released a fixed update yesterday (which I installed), but now there is still a bug in the fixed update released yesterday that still allows the same thing to happen that the update was supposed to fix.

That about right?

Does anyone actually do any work at Oracle?

Pretty much.Except you left out the part that Oracle was informed of these flaws (19 of them) 4 months ago, back in April (and the people who pointed these flaws out, even included proof-of-concept exploits for them) -- yet Oracle was going to leave off shipping the patches 'till the regular October update, 2 more months from now.

It sounds more like management thinking, than what actual devs would choose to do.

1) As far as I can tell, Adobe Dreamweaver comes with its own, bundled JRE. So, disable/enable java all you want: it will simply launch its own version of Java. This is true for other programs as well, since doing this means you don't have to worry about what version of Java a user might have installed. .

Here's a quick hack you can try if you want. I did this with Oracle Application Server a while ago, to upgrade it from JDK 1.4.2 to JDK6 on the sneak. This might not work! Make sure you back up your system first!

First, go into your Dreamweaver's install directory. Find its Java install. If you're lucky, it'll be self-enclosed. The top level directory is the one with "bin" in it (not the JRE subdirectory!). Copy the whole directory and put it away somewhere safe. Now empty it out.

Next, install a modern version of Java. Set the installation directory to be the one where Dreamweaver kept its java. Same path. When the installer finishes, fire up Dreamweaver and see whether everything works.

You might also have to look in your "Dreamweaver Java" backup to see if there were any extra non-Java directories in it, with Dreamweaver specific packages. If so, copy the non-Java directory and put the copy in your new Java directory the same way it was before.

NOTE: If you update DreamWeaver, make sure you put the old Java back before the update, and the new Java back in after. Their update might expect to see their old files. To swap versions, just copy the whole directory, clear it out, and paste the other one the same way as before.

Before anyone asks, yes, yes, I go off the ranch all the time. But it works, mostly.

I kind of thought that if I revisited this story this evening there would be an update to it, like "Oracle releases new patch", or "Oracle acknowledges vulnerability, recommends users do X, Y and Z".

But no.

What a shitty company.

Yes, it's frustrating that Oracle officials won't acknowledge this critical bug, but I don't think it's helpful to call it a shitty company. We've had several Java developers express how disturbing it is that people are en masse uninstalling an app that's important to their livelihood. That's something I can empathize with. Anyone else?

The ignorant and hypocritical comments are just priceless. While we're at it let's all uninstall Windows - the most virus infested OS in the world which has zero days for every day of the week. And when Tuesday comes around be sure to grab the latest set of patches that address the zero days that have been floating around for the past couple of months. Windows is truly the cesspool of viruses and malware.

But complaining about Java itself as an attack surface seems pretty silly. We should probably be doing the exact opposite: if we encouraged more developers to write their code in Java (vs. say C++), *even* code which opens ports to the internet, the world would be a safer place. For example, Java simply prevents most buffer overflow vulnerabilities, which are still a pretty major source of compromises. The current bugs, while bad and stupid, don't let an attacker compromise an arbitrary Java program, even one which accepts incoming connections: to activate them, you have to run attacker-chosen unprivileged Java code (as the browser plugin allows).

The comment about "people who depend on Java for their livelihood are complaining" seems unfair: people are complaining about security advice that may hurt more than it helps. (For the record, I do *not* depend on Java for my livelihood.) Perhaps there are reasonable arguments for uninstalling Java: e.g., it might be fair to predict that Oracle's Java support will be so poor in the future that it will torpedo efforts to write decent applications. But the argument that Java on the computer *currently* hurts security seems flawed.

Those of you defending Java must be working with it for a living and shitting your pants at the prospect of losing your jobs.

I completely agree with Dan -- whoever doesn't need Java should remove it completely from their system.

Disabling just a browser plugin is certainly not enough -- there are exploits that will use other attack vectors to get to execute Java code on your machine outside of browser plugin. The only solution to that is not to have JRE installed.

The ignorant and hypocritical comments are just priceless. While we're at it let's all uninstall Windows - the most virus infested OS in the world which has zero days for every day of the week. And when Tuesday comes around be sure to grab the latest set of patches that address the zero days that have been floating around for the past couple of months. Windows is truly the cesspool of viruses and malware.

the only virus/malware I've contracted in more than a decade of using Windows was a couple of months ago, and you know how I got it?

The vast majority of paid security experts will tell you to reduce your attack surface by uninstalling unneeded apps. Why is it surprising to find this advice on a tech site?

Because the tech experts who aren't getting paid know that it is very tough to impossible to tell what is 'needed' and 'unneeded' in the real world.

of course it's up to the user to determine what's needed. I don't "need" Java for anything. If I find some picayune app out there that requires Java, I can likely either find one which doesn't or use alternate means. The only exception was in the past I needed Java for a 3270 terminal session (which unfortunately required the browser plug-in) but since I don't use that on my home system anymore I simply can live without Java. I'd rather not have the hassle of installing it, making sure the browser plugins are disabled, then finding out that a later update re-enabled them (yes, this is borderline FUD, but I wouldn't be surprised.)

But complaining about Java itself as an attack surface seems pretty silly. We should probably be doing the exact opposite: if we encouraged more developers to write their code in Java (vs. say C++), *even* code which opens ports to the internet, the world would be a safer place. For example, Java simply prevents most buffer overflow vulnerabilities, which are still a pretty major source of compromises. The current bugs, while bad and stupid, don't let an attacker compromise an arbitrary Java program, even one which accepts incoming connections: to activate them, you have to run attacker-chosen unprivileged Java code (as the browser plugin allows).

The comment about "people who depend on Java for their livelihood are complaining" seems unfair: people are complaining about security advice that may hurt more than it helps. (For the record, I do *not* depend on Java for my livelihood.) Perhaps there are reasonable arguments for uninstalling Java: e.g., it might be fair to predict that Oracle's Java support will be so poor in the future that it will torpedo efforts to write decent applications. But the argument that Java on the computer *currently* hurts security seems flawed.

The recent Java 0day that installed the nasty Poison Ivy backdoor, combined with the large number of Java-based exploits in off-the-shelf exploit kits BlackHole, are pretty good examples of the very real harm that comes from having Java installed on a machine that doesn't need it.

ggordon, can you provide equally compelling examples of the harm that comes from completely uninstalling Java? It's not as though someone who uninstalls it can't reinstall it later if she wants to, no?

Great, next time remind me to lookout for the author's name before I read an article, Would clearly be skipping this authors one-sided article.

One-sided? I go out of my way to make clear this is a controversial position among some and that people should decide for themselves. I've also entertained opposing viewpoints in this comment thread, even if I am ultimately not swayed by them.

Hey, Dan, love the way you completely ignore the research I shared with you, and my attempt at educating you about what a real attack surface is. Looks like you're biased after all. I won't be wasting any more time on you...

The ignorant and hypocritical comments are just priceless. While we're at it let's all uninstall Windows - the most virus infested OS in the world which has zero days for every day of the week. And when Tuesday comes around be sure to grab the latest set of patches that address the zero days that have been floating around for the past couple of months. Windows is truly the cesspool of viruses and malware.

Your statement about Windows zero-days is the kind of hyperbole I'm trying to discourage. Yes, Microsoft's July patch batch included a fix for a critical IE bug that was under attack, but the vast majority of flaws that get fixed during patch Tuesday are privately reported to Microsoft and patched before they're ever exploited. (Can anyone dig up stats on the number of Windows based zero days in the past two years?)

In any event, the number of serious vulnerabilities in IE is precisely why many people choose to stay as far away from IE as possible. How, then, is it ignorant and hypocritical for people to take a similar approach to Java, which is equally untrustworthy?

Hey, Dan, love the way you completely ignore the research I shared with you, and my attempt at educating you about what a real attack surface is. Looks like you're biased after all. I won't be wasting any more time on you...

What exactly is it you want me to do, PhilipTheHermit? As I've tried really hard to make clear, you make some valid points and present some valuable data, but I'm going to defer to the security experts on this issue. The advice I'm promoting here is pretty universal among them all. I don't think that makes me biased, and I sure don't think it means you've been wasting your time here.

The recent Java 0day that installed the nasty Poison Ivy backdoor, combined with the large number of Java-based exploits in off-the-shelf exploit kits BlackHole, are pretty good examples of the very real harm that comes from having Java installed on a machine that doesn't need it.

ggordon, can you provide equally compelling examples of the harm that comes from completely uninstalling Java? It's not as though someone who uninstalls it can't reinstall it later if she wants to, no?

Don't both of these require the attacker to be able to run code on your computer already? (That is, if you're in this position, you're already hosed, whether or not you have Java installed.) I agree there is a possible benefit here: if the code the attacker chooses to run happens to be written in Java, then you're immune. But this is a truly tiny benefit (given a chance to run arbitrary code, the attacker probably won't write it in Java), and is independent of the exploit discussed in this article (that is, a perfectly working Java install would still run code that you clicked on from an attachment from an email from that sketchy pharmacy).

The harm is exactly what I detailed in my original post, and could be substantial: deterring developers from using Java can have the (unintended) consequence of making their applications less secure. By and large, the Java security model is still superior to that of (say) C++, even with this bug in place. C++ can't even represent the idea of a sandboxed application, while Java's sandbox is a great tool for keeping poorly-written code from doing bad things. (The Java sandbox is apparently not currently a good tool for preventing adversarial code from doing bad things -- but that's irrelevant to my point, since commonly-used alternatives like C++ don't even try to prevent adversaries from using C++ code to gain control of your machine.)

I might as well add some wood to the fire: if you don't uninstall Java your computer might blow up!

mdfrncs, something isn't misinformation simply because you label it as such. If you can document inaccuracies, please do. Otherwise, it's hard for anyone here to take your comment seriously.

It's hard to take an article seriously when the author has more prowess in gardening than he does in security. Perhaps if you would take some time in between promoting comments that support you and your advice and retorting people who make an *Honest* living at this, we could take you seriously.

I'm unsure at this point, if you are just on a personal crusade to drag Java as a language through the mud, or if it's just more knee jerk reaction from someone who isn't doing anything but reporting things that have been discovered by others, and throwing a bit of sensationalism to keep Conde Nast happy.

At either rate, you aren't defining the attack vector, and you aren't making a clear definition of how modular Java is and instead are giving the kind of advice that I'd expect from an employee at Best Buy. And while some of the less "inflammatory" readers may tell you in a polite manner, they just get lip service and you keep spreading your garbage, so I'll just tell you how I really feel and you can deal with it because you are a grown ass man making comments that if echoed could harm someones means of making a living due to flat out ignorance.

The recent Java 0day that installed the nasty Poison Ivy backdoor, combined with the large number of Java-based exploits in off-the-shelf exploit kits BlackHole, are pretty good examples of the very real harm that comes from having Java installed on a machine that doesn't need it.

ggordon, can you provide equally compelling examples of the harm that comes from completely uninstalling Java? It's not as though someone who uninstalls it can't reinstall it later if she wants to, no?

Don't both of these require the attacker to be able to run code on your computer already? (That is, if you're in this position, you're already hosed, whether or not you have Java installed.) I agree there is a possible benefit here: if the code the attacker chooses to run happens to be written in Java, then you're immune. But this is a truly tiny benefit (given a chance to run arbitrary code, the attacker probably won't write it in Java), and is independent of the exploit discussed in this article (that is, a perfectly working Java install would still run code that you clicked on from an attachment from an email from that sketchy pharmacy).

The harm is exactly what I detailed in my original post, and could be substantial: deterring developers from using Java can have the (unintended) consequence of making their applications less secure. By and large, the Java security model is still superior to that of (say) C++, even with this bug in place. C++ can't even represent the idea of a sandboxed application, while Java's sandbox is a great tool for keeping poorly-written code from doing bad things. (The Java sandbox is apparently not currently a good tool for preventing adversarial code from doing bad things -- but that's irrelevant to my point, since commonly-used alternatives like C++ don't even try to prevent adversaries from using C++ code to gain control of your machine.)

For the Java-based exploits to work, the targeted computer MUST have Java installed. Both of the attacks I cited above don't work at all on machines that don't have Java. That's why security experts say it's a good idea not to have Java installed on machines that don't use it.

I still don't understand how the lack of Java can make applications less secure. Can you provide an example of such an app? Can you cite any advisories or research that documents the types of damage that can result from not having Java installed on a computer?

I might as well add some wood to the fire: if you don't uninstall Java your computer might blow up!

mdfrncs, something isn't misinformation simply because you label it as such. If you can document inaccuracies, please do. Otherwise, it's hard for anyone here to take your comment seriously.

It's hard to take an article seriously when the author has more prowess in gardening than he does in security. Perhaps if you would take some time in between promoting comments that support you and your advice and retorting people who make an *Honest* living at this, we could take you seriously.

I'm unsure at this point, if you are just on a personal crusade to drag Java as a language through the mud, or if it's just more knee jerk reaction from someone who isn't doing anything but reporting things that have been discovered by others, and throwing a bit of sensationalism to keep Conde Nast happy.

At either rate, you aren't defining the attack vector, and you aren't making a clear definition of how modular Java is and instead are giving the kind of advice that I'd expect from an employee at Best Buy. And while some of the less "inflammatory" readers may tell you in a polite manner, they just get lip service and you keep spreading your garbage, so I'll just tell you how I really feel and you can deal with it because you are a grown ass man making comments that if echoed could harm someones means of making a living due to flat out ignorance.

Attacking my qualifications is just a distraction. The point this comment fails to address is the point that the vast majority of people who work in both defensive and offensive security positions are giving precisely the same advice I am. So are you saying security professionals have no better expertise than a Best Buy salesman?

I'm unsure at this point, if you are just on a personal crusade to drag Java as a language through the mud, or if it's just more knee jerk reaction from someone who isn't doing anything but reporting things that have been discovered by others, and throwing a bit of sensationalism to keep Conde Nast happy.

At either rate, you aren't defining the attack vector, and you aren't making a clear definition of how modular Java is and instead are giving the kind of advice that I'd expect from an employee at Best Buy.

For the Java-based exploits to work, the targeted computer MUST have Java installed.

Yes. But they also don't work if the web plugin is disabled. So at this point in the discussion, you've successfully proven that one shouldn't leave the Java web plugin enabled. (Which was the first line of my original post.)

dangoodin wrote:

I still don't understand how the lack of Java can make applications less secure.

1. Know how to setup firewall2. Know that a particular service port is open

Questions for you:

Q1: How many average computer users know the above?Q2: How many average computer users know how to uninstall programs?

PhilipTheHermit wrote:

doubly so if you're also running a NAT firewall/router on your home network.

And what if you don't because it is just one computer connected directly to cable modem, not to mention that you don't know a shit about firewall?

PhilipTheHermit wrote:

If you don't have any services listening on any ports, OR you've got them all firewalled off, it is simply not possible for another computer to initiate any sort of communications with your PC.

Except that firewalls also have vulnerabilites (an example, albeit an older one but for a hardware firewall which is even worse given that they should be more secure than software ones).

PhilipTheHermit wrote:

Without that plugin, there is absolutely no way on Earth any other computer can do anything to your PC that you could blame Java for.

You are assuming that Java code can only be run from Java plugin which is false.

PhilipTheHermit wrote:

I replied that if they're already running stuff on your PC, you're already pwned, so why bother messing with Java?

Because it may enable privilege escalation if JRE has vulnerabilities?Because it is portable and same exploit can work on more than one OS?

daddysmonsters wrote:

...so I'll just tell you how I really feel and you can deal with it because you are a grown ass man making comments that if echoed could harm someones means of making a living due to flat out ignorance.

I surely hope it does some harm and if it does then good riddance. Time to use real programming languages instead of slow and vulnerable bytecode interpreter shit called Java just because it is easy to be "productive" in it.

For the Java-based exploits to work, the targeted computer MUST have Java installed.

Yes. But they also don't work if the web plugin is disabled. So at this point in the discussion, you've successfully proven that one shouldn't leave the Java web plugin enabled. (Which was the first line of my original post.)

dangoodin wrote:

I still don't understand how the lack of Java can make applications less secure.

Look up "buffer overflow" or "void *".

As I've said all along, security experts I've talked to agree widely that it's best to remove the entire JVM if it's not needed. The difficulty of removing the IE plug-in (http://support.microsoft.com/kb/2751647) is one of several reasons for this advice. That said, for those who use software that truly requires the JVM, removing the browser plugins for Java is a great step that will go a very long way to protecting against web-based attacks that exploit Java bugs.

You still haven't answered my question how the lack of Java can make applications less secure. I'm guessing from your six-word response on this matter that it has something to do with buffer overflows or void* pointers, yes? Can you elaborate, please? It would also be helpful if you could say if you're aware of any documented cases where someone has fallen victim to an attack, or experienced similar harm, as a result of not having Java installed.

Without that plugin, there is absolutely no way on Earth any other computer can do anything to your PC that you could blame Java for.

You are assuming that Java code can only be run from Java plugin which is false.

No, that's not what he is assuming. Obviously, 'java code' can be run by any process which has the ability to start the jvm. But that requires user-account level access to the computer, and once an attacker has that whether or not they use Java is inconsequential.

igor.levicki wrote:

PhilipTheHermit wrote:

I replied that if they're already running stuff on your PC, you're already pwned, so why bother messing with Java?

Because it may enable privilege escalation if JRE has vulnerabilities?Because it is portable and same exploit can work on more than one OS?

I do not believe the first point is possible, depending on how you define 'privilege escalation'. A java program has the same access to the system that the jvm does: it cannot change that (unless the OS has some vulnerability, which is then a completely different problem).

As for the second: this statement can be read several ways. If you just mean the problem with the java plugin (applets), sure. Otherwise, what PhilipTheHermit said applies: using Java as a method to deliver a virus/trojan/whatever still requires getting the user or a user-trusted process starting it in the first place.

igor.levicki wrote:

I surely hope it does some harm and if it does then good riddance. Time to use real programming languages instead of slow and vulnerable bytecode interpreter shit called Java just because it is easy to be "productive" in it.

A real programming language, you say? So, you must do all your programming directly in machine code, then. How fast and non-error prone that must be!

I completely agree that if a user isn't using an application, and if the application has become a significant risk to security, then the application should be removed.

The problem here, and why I think some of us are getting hot-under-the-collar, is that the article doesn't make clear what the exact attack-vector is, so the only thing we really know is that the attack-surface is the JVM. But the JVM is *not* an application! It is a platform that can take on a multitude of different forms (server-side, client-side, android, browser-plugin, etc). There are also two supported versions by Oracle, JVM 6 and JVM 7. This situation is similar to Microsoft Windows XP vs Vista. In fact it's worse, since the JVM really tries to act like a cameleon (unsuccessfully)...ideally you shouldn't even know if you're using it or not.

So from a developer's POV, your advice in the article is tantamount to advising users to abandon a platform because there were bugs found in it. And you're getting the same vitriol as if you were to advise people to uninstall Windows because Vista was buggy, or to switch to iOS because a particular version of Android is buggy. Some people shout hallelujah while others gnash their teeth.

Now no one can disagree with you that uninstalling the JVM completely would fix the issue, but it is the most extreme approach. I think equally valid advice would be to treat the JVM like any other platform: stay on the current version until the next one gets figured out. Or if that doesn't happen, find a better platform. Surely you've done this with OS X, Fedora, Debian, Windows, Ubuntu, KDE4, whatever...

I'd love a better/more-open VM, but right now the JVM is really the gold-standard (CLR is a non-starter for me). Folks are using it for high-performance computing (Hadoop, Lucene, etc.) and they're using a form of it on their devices (Dalvik, Android). It would just be a terrible thing to have it fail so completely on the desktop. This isn't like flash, people. Ah, c'est la vie.

By the way, would it be too much to ask to get some Editor's Picks for the pro-JVM side? Surely they weren't all bad?

Really? Because I've felt like the response was record time for oracle. Huh.

And Dan, you'er the one that posted complete hyperbole! Then you top commented every response to peoples outrage over it. Then you complained about civility, it didn't seem really civil to use your special powers to only top the responders backing your own opinions.

Personally I would like to know how many computers have ACTUALLY been affected. You called for A complete remove of Java over a little flaw that hasn't really caused any real world problems?!?! Who is the one pushing hyperbole?